how many times you asked to yourself : how can I clean active directory from the group membership perspective ?
How can I clean resigned users ? few months ago we were discussing about the importance of group membership.
Sometimes the group membership could determine how many licenses I'm using for a specific product, how many sessions (Citrix for example) I'm potentially delivering to the end users.
Anyway independently of what is your usage and purpose of it, we were also discussing about to maintain "alive" (or zombified) the resigned users in a specific OU.
The goals are many and this is not the right moment to discuss about them.
What 's important is that the customer continually move resigned users in a specific OU without cleaning the group membership.
I created this script that could help to clean, in a weekly base for example, all these parameters inside the user account properties.
Here below a simple and quick script that could make your life easier :-)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $sam_disabled_users = get-aduser -filter {enabled -eq "False"} -searchbase "OU=resigned,OU=Users,DC=mydomain,DC=local" -Properties *| Select-Object -ExpandProperty samaccountname | |
| $sam_disabled_users | foreach { | |
| $user = $_ | |
| $user_disabled_groups = Get-ADPrincipalGroupMembership $user | select -expandproperty name | |
| $user_disabled_groups | foreach { | |
| $group = $_ | |
| Remove-ADGroupMember -Identity "$group" -member $user -Confirm:$false -ErrorAction SilentlyContinue | |
| } | |
| } |
Hope this helps.
See you soon
No comments:
Post a Comment